| Field Name | Example Values | Field Type | Notes |
|---|---|---|---|
http_application
|
keyword | Layer 7 application name | |
http_bytes
|
29347485 | Long | Sum of request + response bytes |
http_content_type
|
application/octet-stream | keyword | Mime type of http content |
http_headers
|
keyword | Full list of http headers | |
http_host
|
Host: wwww.mycorp.local | keyword | host: … header from request, if present |
http_referrer
|
http://mycorp.local/ | keyword | “referer” header value if present |
http_request_bytes
|
239478 | long | Size of request |
http_request_method
|
GET, POST | keyword | HTTP request method |
http_request_path
|
/path/to/resource?option=test | keyword | Need to review field length/truncation at 8192 characters (consider utf-8). Some may consider the path not to include the “query” (text after the last “/”), but this value may include it. |
http_response_bytes
|
498274 | long | Size of response |
http_response
|
OK, Moved Permanently | keyword | Text response mapped from the response code |
http_response_code
|
200, 404, 500 | integer | Numeric server response code |
http_uri
|
https://www.graylog.org, https://www.graylog.org/blog, https://www.mycorp.local/workspaces/team#posts | keyword | Full request string; Need to review field length/truncation at 8192 characters (consider utf-8) |
http_uri_category
|
Suspicious, Games | keyword | Categorization of associated web site/URL |
http_uri_stem
|
Default.htm | keyword | The target of the request. For Example: http://www.test.com/test.jsp?hello=y the URI stem is /test.jsp |
http_uri_query
|
hello=y | keyword | The query the client was trying to perform. Example http://www.test.com/test.jsp?hello=y the query is hello=y |
http_user_agent
|
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0) | keyword | User Agent string |
http_user_agent_name
|
Firefox | keyword | Attempted identification of the browser client usually based on user agent analysis |
http_user_agent_os
|
Windows 10 | keyword | Operating System of User Agent |
http_version
|
1.0, 1.1, 2.0 | keyword | HTTP version |
http_xff
|
X-Forwarded-For: 10.1.2.3 | keyword | HTTP x-forwarded-for header value. Future: May map as IP, need to account for different ways this is presented. |
| Field Name | Example Values | Field Type | Notes |
|---|---|---|---|
http_request_path_analyzed
|
** TBD | Need to review best analyzer configuration for HTTP paths / consider truncation | |
http_uri_analyzed
|
ftp://ftp01.server.internal/file.tar.gz, https://www.graylog.org, https://www.graylog.org/blog | text/standard | Optionally copied when a URL must be tokenized. Future: will have to research best analyzer config / consider truncation |
http_uri_length
|
9283 | long | String length of HTTP user agent |
http_user_agent_analyzed
|
text/standard | This is a copy of the http_user_agent field but processed with text analysis |
|
http_user_agent_length
|
54 | long | String length of original user agent |
